operating system security - jayhawk sfsoperating system security isolation virtual machines and...
TRANSCRIPT
Operating System Security- 2017 GenCyber Camp
Bo LuoAssociate Professor
Director, Information Assurance Lab, ITTCThe University of Kansas, Lawrence, KS, USA
[email protected]; http://www.ittc.ku.edu/~bluo
First Principles of Cybersecurity
The first principles of security are the foundation
upon which security mechanisms are reliably built;
and security policies can be reliably implemented.
Study the principles
Use them to examine the design of real-world
security mechanisms
Operating System Security
Process Isolation
Resource Encapsulation
Least Privilege
Operating System Security
OS: still software
All software security vulnerabilities apply
OS must protect users from each other
memory protection
file protection
general control and access to objects
user authentication
4
Operating System Security
The fundamental tradeoff of OS security
operating systems tradeoff between:
Sharing
Protection
sharing is desirable
protection is difficult
5
Operating System Security
Early History
no OS
programs entered directly in binary through switches
user’s program only one on system
user responsible for:
loading dependent libraries, other tools
scheduling time to use computer
OS security?
6
Operating System Security
Later
machines very expensive
people less expensive
maximize use of machine
allow many users
7
Operating System Security
OS protection – separation.
Physical separation, e.g. 1 user/printer
Temporal separation
Logical separation: user thinks own machine
Cryptographic separation, expensive
Combinations of these
8
Operating System Security
Levels of Protection
no protection
isolation
share all or nothing
share via access limitation
share by capabilities
limit use of an object
9
Operating System Security
No protection
e.g. early versions of windows
some embedded environments
designed for one user
no need for isolation, access control, etc.
10
Operating System Security
Isolation
Processes unaware of other processes
Each process: own portion of memory (address space), files,
etc.
OS provides confinement
11
Operating System Security
Isolation
Processes unaware of other processes
Each process: own portion of memory (address space), files,
etc.
OS provides confinement
Example: a word processor, a database and a browser
running on a computer
All running in different address spaces, to ensure correct
operation, security and protection
The word processor cannot access the memory of the browser
or database.
If two processes are running and one of the processes has a
problem, that problem should be confined to the process with a
problem and not affect the other process.
12
Operating System Security
Isolation
Processes unaware of other processes
Each process: own portion of memory (address space), files,
etc.
OS provides confinement
What if the OS has a bug?
What if the OS is compromised or cannot be trusted?
13
Operating System Security
Isolation
Virtual machines and cloud computing
VMWare or Virtual Box
multiple operating systems to execute on the same computer
without interfering with other program
Cloud computing
Host OS vs. Guest OS
In this context, each OS is viewed as a process, to be kept
separate from the other processes (OSs).
Program running in each OS, should not be aware of programs
running on another OS, nor should they be aware of the
existence of another OS.
If a guest OS is compromised, it should not affect the host OS
or any other guest OS
14
Operating System Security
Some resources still need to be shared
Shared libraries
Files
Database
How should we manage the resources?
15
Resource Encapsulation
A computer has many resources.
Hardware based: memory, disk drives, or monitor
System objects: semaphores, a linked list, or shared
memory
Owned by the OS or users
Resources may be shared, but how?
High-level abstraction of resources
Resource Encapsulation
Encapsulation: object oriented concept
All data and functions required to use the resource are
packaged into a single self-contained component.
Only allow access or manipulation of the resource in the
way the designer intended.
Example: assume a flag pole is the object.
Fixed methods to used the flag pole
Put the flag on, take the flag off, raise or lower the flag.
Nothing else can be done to the flag pole.
In addition to controlling what operations can be performed
on the resource, the system can also control which users
can perform these operations on the resource.
Access Control
Some resources need to be shared
Which users can perform operations on the resource?
Access control!
Share all or nothing
owner of object declares it:
Public: available to all users
Private: not available
18
Access Control
Share via access limitation
Resource/files are shared
Who can access what?
Access control lists
Access Control Matrices
Capabilities
19
Access Control
Ensures that all direct accesses to object are
authorized
Protects against accidental and malicious threats by
regulating the read, write and execution of data and
programs
Requires:
Proper user identification
Information specifying the access rights is protected form
modification
Access Control
Access control components:
Access control policy
specifies the authorized accesses of a system
Access control mechanism
implements and enforces the policy
Access Control
How to describe the policies?
“Who can access what?”
Subject: active entity that requests access to an object
- e.g., user or program
Object: passive entity accessed by a subject
- e.g., hardware resource, file, data record
Access right (privileges): how a subject is allowed to access
an object
- e.g., subject s can read object o; subject s can execute
program p
Access Control
Access Control of General Objects
check every access
user permitted doesn’t mean always permitted
enforce least privilege
grant access to minimum set of objects required to complete a
task
verify acceptable usage
stack: push(), pop(), …
Shouldn’t be able to do anything else to stack
23
Access Control
Least Privilege
Allow the minimum number of privileges necessary to
accomplish the task.
Earlier versions of Windows: single user, highest privilege.
OS with access control
How do define privilege for each user?
Access Control
Least Privilege
Allow the minimum number of privileges necessary to
accomplish the task.
Earlier versions of Windows: single user, highest privilege.
OS with access control
New computer: user starts with an administrative account.
This account has privileges to install software, add users, add
hardware, and add and delete almost any program or file.
The account is all powerful and must be used wisely.
If a person uses a browser to access a website that contains
malware and they are running as administrator, it is more likely
that malware could be installed.
If the person was running as a regular user with minimal
privileges, the malware would not have been installed.
Discussion
In mobile OS (iOS, Android), how should we adopt
the concepts of process isolation, resource
encapsulation, and least privilege?